Comment 2 for bug 1332517

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

The source of the issue is that the rule from ./deployment/puppet/nailgun/manifests/iptables.pp:
$rule = "-s $network -j MASQUERADE"
command => "iptables -t nat -I POSTROUTING 1 $rule; \

wants to be the very first while the Fuel master node is deploying. That rule is needed in order to provide the routing options for OSt nodes via the Fuel master node.

But for some cases (like this one in the ticket), the docker containers startup process could place its own "very first" rules ahead,
./deployment/puppet/docker/templates/functions.sh.erb:
iptables -t nat -I POSTROUTING 1 -s "$NETWORK/$PREFIX" -p $proto -m $proto --dport $port -j ACCEPT

As a result we'd have result in the broken NAT chain then we've got an admin network masquerading rule have been placed before the docker rules.

The solution is to add an admin network masquerading rule with the -A option instead of -I 1. That would do the trick unless we have placed the blocking rules at the end of the NAT list. We don't use any for now, so it is OK to do so...